If you want to obtain a wildcard certificate using Let’s Encrypt’s new ACMEv2
server, you’ll also need to use one of Certbot’s DNS plugins. Your Certbot version must be at least 0.22.0.

If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below. Particular instructions for each provider can be found at certbot.eff.org. If you’re not on one of these distros and want a wildcard certificate ASAP, you have two options: install packages using Docker or use Certbot’s manual plugin.

Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because Certbot’s installer plugins cannot reach your webserver from inside the Docker container.

Alternatively, the manual plugin can be used outside of a Docker image, and therefore interact with webservers to install the certificates, but it cannot be used to automatically renew the certificates.

Either way, for now you’ll need to add the --server flag to specify the new endpoint:

--server https://acme-v02.api.letsencrypt.org/directory

Note: 0.22.0 users should not attempt to use --dry-run or --staging, as these flags tell Certbot to use the ACMEv1 staging endpoint. This was fixed for 0.22.1+.

If you’re on CentOS/RHEL 7, Arch Linux, or Fedora 26+, you can install the appropriate Certbot DNS plugin for your DNS provider, as described below.

Could be I’m blind, but I’m not seeing any description on how to install the DNS plugins with the mentioned distributions.

Also, with Gentoo it’s also childs play to install a DNS plugin for certbot. Only the ebuild(s) aren’t available publically. I’ve made one for the RFC2136 plugin, but can’t upload the ebuild at this moment.

You can also create 256 bits ECC wildcard certificates next to the default 2048 bits RSA.

I have been using it on Ubuntu for a while now. ECC intermediate or root is not supported atm. You need to create a private key and a certificate signing request which covers both wildcard/www and non-www